Community

Vulnerability Advisor – Secure your Dev + Ops across containers

Share this post:

We introduced the Vulnerability Advisor (VA) service for IBM® Bluemix Containers and for container images in prior posts. VA provides vulnerability and best practice reports about Docker images hosted in Bluemix. These reports provide a convenient way of quickly knowing if it’s safe to deploy an image in Bluemix. For example, a user would get these tags for each one of his images, indicating if it’s safe to deploy it as a container or not:

deploy

To put things in context, the following is a report for an Ubuntu container with 16 vulnerable packages and 3 security related misconfigurations. The rules defining whether a package is vulnerable are derived from distribution security bulletins, such as Ubuntu Security Notices, CVE information from the National Vulnerability Database and by leveraging information from IBM X-Force Exchange.

dirty-image

This is a very useful feature, but it does not capture the fact that a container (even after starting safe) might become malicious or dangerous. The first reason is that the user could log into the container and change the system on the fly. For example, the user does a docker exec and thinks it would be a good idea to install sshd-server. The second reason is that Vulnerability Advisor updates some rule (e.g. a package vulnerability was discovered after the container started for the first time). Containers age and become more vulnerable than their newly born image, as security experts discover new malware and vulnerabilities for different distributions.

The missing feature is the ability to live-scan containers before they start (as images) and continuously while they are running, using the same rules as the ones for images. This needed feature helps monitoring the latest configuration of running containers and checks for divergence. It usually means the system has non-tracked changes. Remember: a version control system should track all your changes to the system, and a re-deploy should be the only way to make these changes effective. In any case, it would be very useful to detect when these happen. If the system allows them, it’s still very likely that once in a while a developer will log into their containers for a little harmless change. And then, once in a while, that harmless change will be disastrous.

Vulnerability Advisor Live-scanner

We now introduce the Live-scanner service for running containers in Bluemix (notice the part about running containers).

I know what you’re saying: ‘Where can I get these fine new items?’ Well, that’s the gag. Chances are, you’ve bought ’em already! — The Joker (Batman 1989)

If you want to use this new feature, all you have to do is start a container as you did before. In fact, existing containers already have a Vulnerability report. You should get the same Vulnerability report that you would get for images. VA will generate this report within a couple of minutes of starting a new container. And it will generate it again once every day. You do not have to change your container or image in any way to get these reports. More specifically, you do not have to install an agent in the container, a side-car container, make your image use some special base image. It’s all out of the box. Here is an example of a container without vulnerabilities:

clean-container

You can then click on the panel and the same detailed report as the one for images will show the containers Vulnerability report:

clean-container

Try Vulnerability Advisor, it’s free!

VA for running containers is now available to you in production in IBM Bluemix Containers Service. Don’t forget to play with this new feature. It should be easy. Again, all you have to do is take a look at your existing containers in the console.

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Compute Services Stories

Get the most out of Salesforce

CRM systems are critical for enterprises. They allow business users to more easily access and manage customer information and records customer interactions from multiple channels. CRM systems also automate workflows and provide tracking, performance and productivity information.

Continue reading

IBM Cloud and F5 Networks Extend Partnership for Highly Available and Scalable Cloud Services

Today’s enterprise IT organizations are forced to confront and evaluate challenges from a broader business perspective unlike ever before. The decisions they make have a direct impact to the top and bottom line, and the demands levied on them to support the company’s mission only grow. IBM Cloud and F5 Networks understand these challenges. Building on a long-standing partnership, over the last several months IBM Cloud and F5 have collaborated on a solution to give IT organizations the flexibility to increase capacity, adapt to change, and stay ahead of evolving business demands.

Continue reading

IBM Cloud Platform and Fortinet Extend Partnership for Open and Scalable Cloud Security Services

Fortinet and IBM have been long-standing partners, and today’s announcement marks yet another significant milestone in our joint commitment to lead and accelerate cloud adoption for global enterprises. The latest integration of FortiGate virtual appliances on IBM Cloud for VMware Solutions, available in Q4 through the IBM Cloud portal, brings comprehensive security to workloads on IBM Bluemix with a rich set of virtualized firewall functionality, including security gateway, intrusion prevention, and web application security. The Fortinet solutions also offer offer DevOps extensibility and transparent operational scalability across both public and private clouds.

Continue reading